Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

TCP Flaw No Cause for Alarm

The threat posed by an exploit of the TCP has already been addressed where it matters most-at the core of the Internet.

While word of a major vulnerability in the fabric of the Internet leaked out a bit sooner than folks at the Department of Homeland Security would have liked, there isnt a whole lot to panic about.

The threat posed by an exploit of the TCP has already been addressed where it matters most—at the core of the Internet. Unless youre heavily using the BGP (Border Gateway Protocol) to manage routing of your network traffic to ISPs, odds are that youre not at risk.

The potential problem only applies to applications that rely on having a long-term TCP session between two points. But few applications use TCP for such applications—streaming video and audio, for example, typically rely on the UDP (User Datagram Protocol) instead.

Unfortunately, one place where such long-term TCP sessions are common is communication between routers over BGP. The greatest vulnerability is at "peer border routers"—the routers at the edge of an ISPs network that link pairs of ISPs together.

"If BGP peers get knocked off, it can take some time to rebuild those connections," says Peter Stapleton, director of product marketing for Computer Associates International Inc.

By sending a "spoofed," or faked, TCP message, an attacker could reset the TCP session between two border routers; that would reset the BGP session between them as well, and any routing information built between the routers would have to be rebuilt. If carried out repeatedly, the attack could stop traffic between two ISPs by way of that peer connection.

Fortunately, most ISPs have already taken steps to secure the traffic between their peer border routers. "Its something weve known about in the operations community for over a week now," says Bill Woodcock, research director of the Packet Clearing House, a nonprofit organization that promotes Internet stability by working with ISPs.

In that time, ISPs have been working with each other to secure each of their peer links "using an MD5 (Message Digest 5) Hash to protect each session," says Woodcock, "putting a unique password on every interconnection between each pair of ISPs."

The MD5 algorithm, designed by Ron Rivest in 1991, has been available for some time; it was defined as an optional extension to BGP in the Internet Engineering Task Forces RFC 2358 back in 1998. "Its been around for a while," says Stapleton, "but as far as being a common practice, thats another matter. Up until now, it hasnt been used that much."

That has changed in the last week. "All of the big guys got this done days ago," says Woodcock. "Its come down to the last couple of small guys who are harder to pay attention—the vulnerability will only affect smaller ISPs that are less concerned about security."